[Pkg-samba-maint] [samba] 17/26: CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
Ivo De Decker
idd-guest at moszumanska.debian.org
Mon Dec 9 22:22:16 UTC 2013
This is an automated email from the git hooks/post-receive script.
idd-guest pushed a commit to branch samba_4.1
in repository samba.
commit d96f88c91586c2aed60c9037eb86ffa6bb8259fb
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 7 22:41:22 2013 -0800
CVE-2013-4408:s3:Ensure LookupRids() replies arrays are range checked.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
Signed-off-by: Jeremy Allison <jra at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/lib/netapi/group.c | 16 ++++++++++++++++
source3/lib/netapi/user.c | 16 ++++++++++++++++
source3/rpcclient/cmd_samr.c | 8 ++++++++
source3/utils/net_rpc.c | 7 ++++++-
source3/winbindd/winbindd_msrpc.c | 10 ++++++++--
source3/winbindd/winbindd_rpc.c | 10 ++++++++--
6 files changed, 62 insertions(+), 5 deletions(-)
diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
index 69c7af4..b806fc4 100644
--- a/source3/lib/netapi/group.c
+++ b/source3/lib/netapi/group.c
@@ -395,6 +395,14 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (member_types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
}
for (i=0; i < rid_array->count; i++) {
@@ -1624,6 +1632,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (member_types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
for (i=0; i < names.count; i++) {
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index e699ad3..a971e2d 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -3114,6 +3114,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != rid_array->count) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
for (i=0; i < names.count; i++) {
status = add_GROUP_USERS_INFO_X_buffer(ctx,
@@ -3716,6 +3724,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
werr = ntstatus_to_werror(result);
goto done;
}
+ if (names.count != num_rids) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
+ if (types.count != num_rids) {
+ werr = WERR_BAD_NET_RESP;
+ goto done;
+ }
for (i=0; i < names.count; i++) {
status = add_LOCALGROUP_USERS_INFO_X_buffer(ctx,
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
index 5bc8c0b..87882c3 100644
--- a/source3/rpcclient/cmd_samr.c
+++ b/source3/rpcclient/cmd_samr.c
@@ -2223,6 +2223,14 @@ static NTSTATUS cmd_samr_lookup_rids(struct rpc_pipe_client *cli,
goto done;
/* Display results */
+ if (num_rids != names.count) {
+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ goto done;
+ }
+ if (num_rids != types.count) {
+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ goto done;
+ }
for (i = 0; i < num_rids; i++) {
printf("rid 0x%x: %s (%d)\n",
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index e0c8eea..92964b5 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -2900,7 +2900,12 @@ static NTSTATUS rpc_list_group_members(struct net_context *c,
if (!NT_STATUS_IS_OK(result)) {
return result;
}
-
+ if (names.count != this_time) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (types.count != this_time) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
/* We only have users as members, but make the output
the same as the output of alias members */
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 61447d3..426d64c 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -744,14 +744,20 @@ static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
/* Copy result into array. The talloc system will take
care of freeing the temporary arrays later on. */
- if (tmp_names.count != tmp_types.count) {
- return NT_STATUS_UNSUCCESSFUL;
+ if (tmp_names.count != num_lookup_rids) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (tmp_types.count != num_lookup_rids) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
for (r=0; r<tmp_names.count; r++) {
if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
continue;
}
+ if (total_names >= *num_names) {
+ break;
+ }
(*names)[total_names] = fill_domain_username_talloc(
mem_ctx, domain->name,
tmp_names.names[r].string, true);
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index 6b88c84..0986d82 100644
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -871,14 +871,20 @@ NTSTATUS rpc_lookup_groupmem(TALLOC_CTX *mem_ctx,
/* Copy result into array. The talloc system will take
care of freeing the temporary arrays later on. */
- if (tmp_names.count != tmp_types.count) {
- return NT_STATUS_UNSUCCESSFUL;
+ if (tmp_names.count != num_names) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
+ }
+ if (tmp_types.count != num_names) {
+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
}
for (r = 0; r < tmp_names.count; r++) {
if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
continue;
}
+ if (total_names >= num_names) {
+ break;
+ }
names[total_names] = fill_domain_username_talloc(names,
domain_name,
tmp_names.names[r].string,
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list